Comment 3 for bug 2017447

dupe LP: #1996803
Related: https://bugzilla.mozilla.org/show_bug.cgi?id=1792006

Reproducible, plausibly dangerous, and not mentioned in the "install" section of the man page.

Sure, if one knows that canonical-published snaps can trigger installation of 3rd-party-published snaps despite specifically disabling the system-wide "APT::Install-Recommends" setting, one can act accordingly.

But how would users even learn that snap, when solely instructed to install a non-privileged browser, also decides to enable a privileged network daemon? One that certainly has a high risk of exposing additional RCE bugs, the threat level of which in the snap scenario is however not obvious from documentation like https://ubuntu.com/security/cves?q=&package=cups